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Definition 

“Directing  and  controlling  an  organization  to  establish  and 
sustain  a  culture  of  security  in  the  organization's  conduct 
(beliefs,  behaviors,  capabilities,  and  actions)” 

Builds  upon  and  expands  commonly  described  forms  of 
governance  including  corporate  governance,  enterprise 
governance,  and  information  technology  (IT)  governance 
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Questions  to  Ask 

What  is  at  risk? 

How  much  security  is  enough? 

How  does  an  enterprise 

•  evolve  its  approach  to  security? 

•  achieve  and  sustain  adequate  security? 


©  2005  by  Carnegie  Mellon  University 


page  3 


Carnegie  Mellon 

Software  Engineering  Institute 


Questions  to  Ask 


What  is  at  risk? 


How  much  security  is  enough? 

How  does  an  enterprise 

•  evolve  its  approach  to  security? 

•  achieve  and  sustain  adequate 
security? 
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What  Is  At  Risk? 

•  Trust 

•  Reputation;  brand 

•  Shareholder/stakeholder  value 

•  Market  confidence,  share,  capitalization 

•  Regulatory  compliance;  fines,  jail  time 

•  Customer  retention,  growth 

•  Customer  and  partner  identity,  privacy 

•  Ability  to  offer,  fulfill  business  transactions 

•  Staff  morale 


©  2005  by  Carnegie  Mellon  University 


page  5 


Carnegie  Mellon 

Software  Engineering  Institute 


Trust 

“The  central  truth  is  that  information  security  is  a 
means,  not  an  end.  Information  security  serves  the 
end  of  trust.  Trust  is  efficient,  both  in  business  and  in 
life;  and  misplaced  trust  is  ruinous,  both  in  business 
and  in  life. 

Trust  makes  it  possible  to  proceed  where  proof  is 
lacking.  As  an  end,  trust  is  worth  the  price.  Without 
trust,  information  is  largely  useless.” 


[Dan  Geer;  “Why  Information  Security  Matters”] 
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Responsibility  to  Protect  Digital  Assets 


Duty  of  Care:  D&O  Governance  of  Corporate  Digital 
Security 

•  Govern  business  operations;  protect  critical 
assets 

•  Protect  market  share,  stock  price 

•  Govern  employee  conduct 

•  Protect  reputation 

•  Ensure  compliance  requirements  are  met 

Business  Judgment  Rule:  That  which  a  reasonably 
prudent  director  of  a  similar  corporation  would  have 
used 

[Jody  Westby,  PricewaterhouseCoopers,  Congressional  Testimony;  case  law] 


©  2005  by  Carnegie  Mellon  University 


page  7 


Carnegie  Mellon 

Software  Engineering  Institute 


Barriers  to  Tackling  Security 

Abstract,  concerned  with  hypothetical  events 
A  holistic,  enterprise-wide  problem;  not  just 
technical 

No  widely  accepted  measures/indicators 
Disaster-preventing  rather  than  payoff-producing 
(like  insurance) 

Installing  security  safeguards  can  have  negative 
aspects  (added  cost,  diminished  performaj 
inconvenience) 
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Questions  to  Ask 

What  is  at  risk? 

How  much  security  is  enough? 


How  does  an  enterprise 

•  evolve  its  approach  to  security? 

•  achieve  and  sustain  adequate  security? 
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Shift  the  Security  Perspective 


From 


Scope: 

Ownership: 

Funding: 

Focus: 

Driver: 

Application: 

Goal: 


Technical  problem 
IT 

Expense 

Intermittent 

External 

Platform/practice 
IT  security 


Enterprise  problem 

Enterprise 

Investment 

Integrated 

Enterprise 

Process 

Enterprise 

continuity/resilience 
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Security  to  Resiliency 


Managing  to  threat  and 
vulnerability 

No  articulation  of  desired  state  to 

Possible  security  technology 
overkill 
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Managing  to  impact  and 
consequence 

Adequate  security  defined  as 
desired  state 

Security  in  sufficient  balance  to 
cost,  risk 
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A  Resilient  Enterprise  Is  Able  To. . . 


•  withstand  systemic  discontinuities  and  adapt  to  new 
risk  environments  [Starr  03] 

•  be  sensing,  agile,  networked,  prepared  [Starr  03] 

•  dynamically  reinvent  business  models  and  strategies 
as  circumstances  change  [Hamel  04] 

•  have  the  capacity  to  change  before  the  case  for 
change  becomes  desperately  obvious  [Hamel  04] 
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Security  Strategy  Questions 

•  What  needs  to  be  protected?  Why  does  it  need  to 
be  protected?  What  happens  if  it  is  not  protected? 

•  What  potential  adverse  consequences  need  to  be 
prevented?  At  what  cost?  How  much  disruption 
can  we  stand  before  we  take  action? 

•  How  do  we  effectively  manage  the  residual  risk 
when  protection  and  prevention  actions  are  not 
taken? 
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Defining  Adequate  Security 

The  condition  where  the  protection  strategies 

for  an  organization's  critical  assets  and  business 
processes 

are  commensurate  with  the  organization's  risk 
appetite  and  risk  tolerances 


Risk  appetite  and  risk  tolerance  as  defined  by  COSO’s  Enterprise  Risk  Management 
Integrated  Framework,  September,  2004. 

http://www.cert.org/governance/adequate.html 
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Determining  Adequate  Security 
Depends  On  . . . 

•  Enterprise  factors:  size,  complexity,  asset  criticality, 
dependence  on  IT,  impact  of  downtime 

•  Market  sector  factors:  provider  of  critical  infrastructure, 
openness  of  network,  customer  privacy,  regulatory 
pressure,  public  disclosure 

•  Principle-based  decisions:  Accountability,  Awareness, 
Compliance,  Effectiveness,  Ethics,  Perspective/Scope, 
Risk  Management,  etc. 


http://www.cert.org/governance/ges-aware.html 

http://www.cert.org/governance/stakeholder.html 
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Adequate  Security  and  Operational 
Risk 

“Appropriate  business  security  is  that  which  protects  the 
business  from  undue  operational  risks  in  a  cost-effective 
manner.”  [Sherwood  03] 

“With  the  advent  of  regulatory  agencies  assessing  a 
business’s  aggregate  operational  risk,  there  needs  to  be  a 
way  of  looking  at  the  organization  as  a  whole  rather  than  its 
many  parts.”  [Milus  04] 


[According  to  Basel  II,  operational  risks  are  risks  of  loss  resulting  from  inadequate 
or  failed  internal  processes,  people,  and  systems  or  from  external  events. 
http://www.bis.org/publ/bcbs107.htm] 


©  2005  by  Carnegie  Mellon  University 


page  16 


Carnegie  Mellon 

Software  Engineering  Institute 


Questions  to  Ask 


How  much  security  is  eno 


How  does  an  enterprise 

•  evolve  its  approach  to 

•  achieve  and  sustain  adequate 
security? 


What  is  at  risk? 
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Evolving  the  Security  Approach 


Desired  State 


Enterprise  Security 
Management 

Process  Maturation 


Security  Risk 
Management 

Vulnerability 

Management 


Incident  Response 


1 1 1 1 1 1 1 1 1 1 1 1 1  1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 

Time  and  Complexity 
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Questions  to  Ask 


What  is  at  risk? 


How  much  security  is  enough? 


How  does  an  enterprise 

•  evolve  its  approach  to  security? 

•  achieve  and  sustain  adequate 
security? 


©  2005  by  Carnegie  Mellon  University 


page  19 


Carnegie  Mellon 

Software  Engineering  Institute 


Shift  the  Security  Approach 


Ad-hoc  and 
tactical 


Managed  and 
strategic 


irregular 
reactive 
immeasurable 
absolute 


systematic 

adaptive 

measured 

adequate 


Security  activities  and  measures  of  security  performance 
are  visibly  aligned  with  strategic  drivers  and  critical 


success  factors. 
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Deriving  a  Framework 


Standards, 
guidelines,  &  > 
practices 


Fieldwork  & 
experience 


High  performing 
organizations 


Capabilities 

Framework 


w 
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Notional  Set  of  Capabilities 


Asset  Management 
Audit 

Crisis  Management 
Enterprise  Security  Governance 
IT  Operations 
Partner  Management 


Physical/Facilities  Management 
Process  Management 
Project  Management 
Risk  Management 
Security  Operations 
Systems  Development 
User  Management 
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Mobilizing  Capabilities  to  Achieve/Sustain  Adequate  Security 


©  2005  by  Carnegie  Mellon  University 


page  23 


i.  CamcgieMellon 

Software  Engineering  Institute  Mobilizing  to  Achieve/Sustain  Adequate  Security 
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What  Does  Effective  Security  Look  Like 
at  the  Enterprise  Level? 

•  No  longer  solely  under  IT’s  control 

•  Achievable,  measurable  objectives  are  defined  and 
included  in  strategic  and  operational  plans 

•  Functions  across  the  organization  view  security  as 
part  of  their  job  (e.g.,  Audit)  and  are  so  measured 

•  Adequate  and  sustained  funding  is  a  given 

•  Senior  executives  visibly  sponsor  and  measure  this 
work  against  defined  performance  parameters 

•  Considered  a  requirement  of  being  in  business 
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What  Is  Internal  Audit’s  Role? 

•  Leverage  Audit’s  professionalism  and  enterprise-wide 
scope 

•  Supplement  compliance  activities  with  risk  assessment 
and  process  improvement 

•  Create  an  enterprise-wide  risk-based  audit  program(*) 

•  Broaden  audit  scope  to  address  third-party  and  vendor 
risk 

•  Collaborate  with  IT  to  mitigate  information  systems  risk 
proactively 

(*)  including  enterprise  security 

[PriceWaterhouseCoopers  Internal  Audit  Global  Best  Practices; 

http://www.pwc.com/extweb/service.nsf/docid/D52A08081C25BC3885256F0B00522DF9] 
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Why  Should  Internal  Audit  Care? 

Responsible  for  evaluating  the  adequacy  and 
effectiveness  of  controls 

•  Reliability  and  integrity  of  financial,  operational 
information 

•  Effectiveness,  efficiency  of  operations 

•  Safeguarding  assets 

•  Compliance  with  laws,  regulations,  contracts 

Brings  a  systematic,  disciplined  approach  to  evaluate 
and  improve  the  effectiveness  of  risk  management, 
control,  and  governance  processes 


[IIA,  Tone  at  the  Top,  Issue  23,  October  2004.] 
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For  More  Information 

•  Governing  for  Enterprise  Security 
(http://www.cert.orq/qovernance/qes.htmn 

•  Enterprise  Security  Management 
(http://www.cert.org/nav/index  qreen.html) 

•  CERT  web  site  (http://www.cert.org):  ITPI  web 
site  (http://www.itpi.org):  SEI  web  site 
(http://www.sei.cmu.edu) 
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